[Security Solution] The option for 'Rule Exception' should be disabled under the alerts table for deleted rule under the rules tab.

ghost commented 2 years ago

Describe the bug The option for 'Rule Exception' should be disabled under the alerts table for deleted rule under the rules tab.

Build info

VERSION: 8.5.0 BC3
BUILD: 56932
COMMIT: 1bb0d052c8d6842b88665c8c489f3a2d4cf4b46a

Preconditions

Kibana should be running
Rule should be exist with alerts

Steps to Reproduce

Navigate to Security > Rule detail page
Delete the rule
Navigate to deleted rule
Click on more action of alerts
Observe that Rule Exception' is enabled

Actual Result The option for 'Rule Exception' is enable under the alerts table for deleted rule under the rules tab.

Expected Result The option for 'Rule Exception' should be disabled under the alerts table for deleted rule under the rules tab.

Screen-record

https://user-images.githubusercontent.com/61860752/195088343-2d2a180c-c9ee-4694-ad84-1f793c72bccc.mp4

elasticmachine commented 2 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

ghost commented 2 years ago

@karanbirsingh-qasource Please review!!

elasticmachine commented 2 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

cybersecdiva commented 1 year ago

Tested in current `8.7.0` deployment:

Preconditions:

Kibana should be running
Rules with alerts generated

Steps to reproduce behavior:

Navigate toSecurity -> Rules
Select a custom rule
In the Rules detail page -> click on the 3 dots and select Delete rule
Navigate toAlerts tab -> Click on an alert for the deleted rule
Click on More actions. The More actions drop down list will show the Add rule exception option enabled
Click on the Add rule exception option. The Add rule exception flyout menu displays with enabled fields.

Results:

The Add rule exception option is enabled under the Alerts tab for the deleted rule

Expected results:

Add rule exception should be disabled under the Alerts tab for the deleted rule

Screen video capture:

https://user-images.githubusercontent.com/35679937/230503364-8151f64c-d049-49a9-9484-792307946537.mp4

Observations:

Add rule exception option and flyout fields are enabled under Alerts tab for deleted rules
Populating the enabled fields with data and attempting to save Add rule exception for the deleted rule displays an error message:

An error occured submitting exception banner and a popup message box
An error occurred submitting exception 
Unable to add exception to rule - rule with id: "e37c1bf0-b94f-11ed-a591-6fc384a98494" not found (500)

Conclusion:

Validated that behavior is still occurring in 8.7.0

cc: @MadameSheema Update FYI Observations

cybersecdiva commented 1 year ago

Tested in `8.9.0` deployment:

Build Details:
VERSION: 8.9.0 BC5
BUILD: 64715
COMMIT: beb56356c5c037441f89264361302513ff5bd9f8

Preconditions:

Kibana should be running
Rules with alerts generated

Steps to reproduce behavior:

Navigate toSecurity -> Rules
Select a custom rule
In the Rules detail page -> click on the 3 dots and select Delete rule
Navigate toAlerts tab -> Click on an alert for the deleted rule
Click on More actions. The More actions drop down list will show the Add rule exception option enabled
Click on the Add rule exception option. The Add rule exception flyout menu displays with enabled fields.

Results:

The Add rule exception option is enabled under the Alerts tab for the deleted rule

Expected results:

Add rule exception should be disabled under the Alerts tab for the deleted rule

Screen video capture:

https://github.com/elastic/kibana/assets/35679937/a3deaa52-aa83-4a6a-85a4-b4e4d981f937

Observations:

Add rule exception option and flyout fields are enabled under Alerts tab for deleted rules
Populating the enabled fields with data and attempting to save Add rule exception for the deleted rule displays an error message:

An error occurred submitting exception banner and a popup message box
An error occurred submitting exception 
Unable to add exception to rule - rule with id: "57a940a0-15c3-11ee-a435-f5df1545205e" not found (500)

Screenshots:

Conclusion:

Validated that behavior is still occurring in 8.9.0 BC5

cc: @MadameSheema @yctercero @dhurley14 Updated FYI Observations

pborgonovi commented 3 months ago

Validated latest BC 8.15 and issue still present:

https://github.com/user-attachments/assets/01202203-2a8c-4bca-bf82-a9ff79c99224

Error:

{
  "name": "Error",
  "body": {
    "statusCode": 400,
    "error": "Bad Request",
    "message": "[request params]: Invalid value \"undefined\" supplied to \"id\""
  },
  "message": "",
  "stack": "Error\n    at fetch_Fetch.fetchResponse (https://paula-8-15-3.kb.us-west2.gcp.elastic-cloud.com:9243/674b3abcdff6/bundles/core/core.entry.js:16:219660)\n    at async https://paula-8-15-3.kb.us-west2.gcp.elastic-cloud.com:9243/674b3abcdff6/bundles/core/core.entry.js:16:217652\n    at async https://paula-8-15-3.kb.us-west2.gcp.elastic-cloud.com:9243/674b3abcdff6/bundles/core/core.entry.js:16:217609"
}

yctercero commented 1 month ago

@pborgonovi the exceptions tab appears disabled when I visit the rule details of a deleted rule. We could improve the UX to make the error message explicit that the rule no longer exists.

pborgonovi commented 1 month ago

@yctercero the mentioned behavior occurs while adding a rule exception via alerts table of a deleted rule. I believe the potential fix for this scenario would be having the Add rule exception option from more actions menu disabled in case of deleted rules.

Here are the exact steps to reproduce:

Launch Details Page of a deleted rule which generated alerts
From alerts table, click more actions (...) button and Add rule exception
Fill out the exception information in the flyout
Click Add rule exception button

The action will fail with the following error prompted:

{
  "name": "Error",
  "body": {
    "statusCode": 400,
    "error": "Bad Request",
    "message": "[request params]: id: Invalid uuid"
  },
  "message": "",
  "stack": "Error\n    at fetch_Fetch.fetchResponse (https://bug-retest-2.kb.us-west2.gcp.elastic-cloud.com/3a747006cf54/bundles/core/core.entry.js:16:222400)\n    at async https://bug-retest-2.kb.us-west2.gcp.elastic-cloud.com/3a747006cf54/bundles/core/core.entry.js:16:220392\n    at async https://bug-retest-2.kb.us-west2.gcp.elastic-cloud.com/3a747006cf54/bundles/core/core.entry.js:16:220349"
}

See the video below:

https://github.com/user-attachments/assets/1bff7623-e319-4807-b989-6f6f75487143

elastic / kibana